A Joint Solution for Effective Vulnerability Management in Software-Defined Vehicles

ETAS news cycur risk

We are excited to introduce a joint solution involving ONEKEY and ESCRYPT CycurRISK that addresses the pain points faced by the automotive industry when it comes to vulnerability management in software-defined vehicles.

Under the UN R 155 regulation, OEMs are required to monitor, detect, and respond to vulnerabilities in their vehicles. However, effective vulnerability monitoring can be challenging due to the need to identify the software components and versions running on each vehicle. Maintaining this information in a software bill of material (SBOM) can be a complex task. Additionally, vulnerability scanning often generates a long list of potentially relevant findings, making it difficult for developers to prioritize and address them.

To alleviate these pain points, we present our joint solution: ONEKEY provides a platform to manage and validate SBOMs, as well as detect and auto-prioritize vulnerabilities. It enables automated generation of a list of software components (SBOM) from a binary, without requiring access to the source code. Further, known vulnerabilities (CVEs) and unknown vulnerabilities (Zero-Days) will be identified and prioritized in minutes. On the other hand, ESCRYPT CycurRISK supports the creation and maintenance of Threat Analyses and Risk Assessments (TARAs). Analysts can capture valuable context information about the analyzed functionality or component, enabling them to assess the impact of potential attacks on assets in a given context. The information from ESCRYPT CycurRISK is then used to prioritize the most critical vulnerabilities in the software.

With this joint solution, the large number of identified vulnerabilities becomes more manageable. Developers receive a filtered and prioritized list of vulnerabilities, allowing them to focus on improving the software in the areas that matter most.

Looking ahead, we are excited to announce further upcoming topics. Firstly, we will explore the extended use case of feedback information from vulnerability management back into the TARA, ensuring that the risk assessment remains current. Secondly, we will aim to create an extended eco system by closely interweaving other ETAS cybersecurity products and solutions, such as ESCRYPT CycurGUARD and ESCRYPT CycurFUZZ, to further enhance the efficiency and effectiveness of vulnerability management in software-defined vehicles.

Stay tuned for more updates on these exciting developments!



ONEKEY is the leading European specialist in Product Cybersecurity & Compliance Management and part of the investment portfolio of PricewaterhouseCoopers Germany (PwC). The unique combination of an automated Product Cybersecurity & Compliance Platform (PCCP) with expert knowledge and consulting services provides fast and comprehensive analysis, support, and management to improve product cybersecurity and compliance from product purchasing, design, development, production to end-of-life. 

Also available in our Newsroom